Lay Member, Andrew Blackmore was elected as Chair of the Governance and Audit Committee.

County Councillor Tony Easson was appointed as Vice Chair.

Items 7 and 8: Martin Veale, pursuant to the Members’ Code of Conduct, declared a personal, non-prejudicial interest as Chair of Merthyr County Borough Council, Governance and Audit Committee and as a Member of the Governance and Audit Committee of Blaenau Gwent County Borough Council, partner of the Shared Resource Service (SRS).

The Chair, on behalf of the Committee, thanked outgoing members of the Committee, Councillors Ian Chandler, Tony Kear and Laura Wright for their contribution during their period of membership.  He also welcomed Councillors Ben Callard, Ann Webb and David Hughes-Jones to their first meeting.  Jan Furtek, Audit Manager, was welcomed in the role of interim Chief Internal Auditor (CIA).

No members of the public were present.

The Action List from the previous meeting was noted:

1.     Key Collaborations and Partnerships:  The CIA confirmed that the review is complete and the draft report is ready for issue and will be shared with the Committee in due course.  Key collaborations and partnerships have been considered as part of the risk assessment and drafting of the Internal Audit operational plan. There will be at least four reviews to be completed for services operating in partnership. These are Housing Benefits, Council Tax, Revenue Shared Service (Lead Authority is Torfaen County Borough Council) and the Youth Offending Service where Monmouthshire is the Lead Authority.  Any findings and recommendations from the review will be responded to accordingly. [ONGOING]

2a  Finance Team capacity: The Head of Finance reported that some appointments had been made to the Finance team. Appointments to some senior posts are ongoing. The delay is being managed by prioritisation of key pieces of work.  The aim is to complete recruitment over six to eight weeks to achieve a full complement of staff.  In response to a question, it was confirmed that focus is on the current financial situation to ensure that

the best use of resources, to continue to deliver the service changes and to produce savings.  It is hoped to meet a mid-July deadline for the draft accounts but there remain many variables that could cause delays.   The Audit Wales Officer confirmed that the timetable set out is in line with Audit Wales’s expectations and it is predicted that there should be a November certification date.

In light of this update, the Committee wished to understand the current position more fully and in particular the consequences of the prioritisation decisions being made.  Consequently, the Chair requested a concise paper setting out the Finance Team’s organisation structure, type and number of vacancies, plans for resolution and a fuller explanation of the consequences on workload and prioritisation.  A Member expressed concern about the continuing delays. [ONGOING]

      2b Trend analysis of the value of commercial investments year on year, and the income received that contributes to services:  It was noted that an e mail has been sent to Members containing the requested information. [CLOSED]

4a.  Audit Wales Outline Plan: The Chair has seen the Audit Wales letter detailing the revised timetable [CLOSED]

4b.  Training Materials for ISA 315: It was confirmed that there are no resources or events currently available. Updates will be provided as information becomes available. [CLOSED}

5a. People Strategy and Asset Management Plan: will be reported at the 19^th October meeting 2023 [ONGOING]

5b   Report language to be more concise with timelines. Will be reported in the regular report at the meeting on 19th October 2023. [CLOSED]

5c   Social enterprise (slippage of nearly a decade Wales-wide): Further information will be sought to close this item. [ONGOING]

6.  Whole authority Complaints report: Consideration of weighting system for future reports [ONGOING]

9. Review of Strategic Risk Register:

a)    An update on the remaining two elements of Risk 4 was provided  ...  view the full minutes text for item 5.

The Committee received a presentation from the Chief Operating Officer, and Deputy Chief Operating Officer of the Shared Resource Service (SRS).  Following the presentation, Committee Members were invited to ask questions:

·        A Member asked for clarification of the Monmouthshire budget and it was explained that £3,056,000 is the total contribution required for MCC services, services to schools and contracts and licenses.  This composes of £738,000 paid directly for contracts and licenses plus MCC’s contribution of £1,600,000 (totalling £2,300,000) plus £709,000 income from schools.

·        In response to a question, it was confirmed that SRS provides CCTV services for Torfaen County Borough Council and Monmouthshire County Council.  There are approximately sixty cameras being monitored in each county 24 hours daily covered by shifts of one person per shift out of office hours plus other operators in the daytime.  The cameras are set to zoom in when activity is detected.  An offer was made to the Member to speak outside the meeting to discuss specific locations.

·        A Member asking about SRS’s sustainability and plans to work towards net zero was informed that the new premises is a professionally run data centre with a certified 100% renewable energy source.

·        A Member commented that some schools are concerned about the value for money of EdTech and are seeking alternative providers.  It was explained that meeting the EdTech standards is costly, but standards are being met by those schools on SLA (confirmed by recent audit).  The schools outside the SLA may not have the equipment to meet the standard. There may be an option to reformat the SLAs. Schools need to be aware of hidden costs when seeking alternative provision.  Some Newport schools have returned to SRS services from outside providers.  Further information and contact with schools outside the SLA would be beneficial.

·        In response to a question, it was confirmed that a benchmarking exercise had been carried out across England and Wales, and the lowest percentage IT Budget of an organisation’s budget is 2.2% with and average of 2.4%. SRS percentage for its partners ranges from 1.7% to 2.1% contribution of the overall organisation’s budget delivering positive value for money.

·        A Member asked if a year-end report is provided to provide assurance and it was explained that an annual report is provided to the Board, and there are monthly reports at the Delivery Group meetings where issues are identified and dealt with.

·        A Member asked how much use is being made of the residual Blaenavon premises following the move to Newport and was informed that decommissioning is in progress, with a view to retaining office space unless alternative suitable accommodation can be found. 

·        The Chair asked how the different priorities between the six partners are managed.  The Head of Information Security and Technology explained that she manages the relationship with the SRS and the budget including SLAs with schools.  An offer was made to talk to school governors if required. It was added that digital projects, aspirations, and performance are very well communicated, managed and  ...  view the full minutes text for item 6.

The Group Auditor, Torfaen County Borough Council introduced the SRS Annual Audit Report and Audit Plan for 2023/24.  Torfaen County Borough Council provides Audit Services to the SRS on behalf of the six partners.  Questions were invited:

·        A Member noted the positive report and questioned how a weaker report would be shared with the other five partners’ Governance and Audit Committees.  It was explained that every report follows the same process and partners are asked for views at the planning stage to ensure all necessary aspects are covered. After the audit, SRS staff are met with, and a draft report written. An exit meeting is held prior to a final report being compiled and sent to senior management and the Finance and Governance Board. Reports have been shared if requested.  It was suggested that opinions of Limited or no assurance are communicated to the Chief Internal Auditor.  The plans for audits in Monmouthshire to use the CIPFA ratings were noted and it was suggested that Torfaen adopts the same ratings in the future.

·        A question was asked about audits between 2015 and 2019.  It was explained at that time, there were issues arising from there being new processes and policies and developing a relationship with a new organisation.  Since that time there is more definition and organisation that has led to improvements.  It was explained that SRS identified a need for a dedicated resource to work on audits.  30% of SRS’s working capacity is now dedicated to considering security and ensuring compliance with security controls as a priority.  10% of the allocation is for audit.  Prioritisation of audit processes is well understood by the partners.

The Chair thanked the officers for their contribution and noted that he will discuss with the CIA and Head of Information Security how best to ensure that the Committee continued to have visibility over relevant matters pertaining to the Shared Resource Service.

The Head of Information Security and Technology and Data Protection Officer presented a report on Freedom of Information Requests, Data Protection Act Breaches and Data Subject Access Requests. Following presentation of the report, the Chair invited Members to ask questions:

·        A Member questioned the increased numbers of internal reviews and asked if there had been a change in process or quality checks. It was responded that members of the public are more aware of the use of freedom of information requests if they are unable to get information direct from a service area.  There is also an increase in the technical content from the whole authority, and often the authority does not hold the information requested.  Requestors may be disappointed with the information received hence the increase in internal reviews.  It was responded that all the internal reviews were upheld.

·        A Member queried the 78% completion rate for mandatory training, if numbers undertaking the training are monitored and if there is a process planned to ensure greater compliance. It was responded that the priority is learning especially in high-risk areas where personal data is handled and breaches occur.  The training is repeated every two years.  It is mandatory that new starters complete the training.  The training is available online, face to face and bespoke to service area requirements.  Schools have a separate module as they are their own data controllers, as are County Councillors.  The Chair offered the support of the Committee to encourage better training compliance. 

An update was provided about the corporate training database that will assist in capturing data and identifying deficiencies. The Chair asked for a report of the mandatory training completion rates broken down by service area at the next meeting.

A Member emphasised that mandatory training is mandatory, and if it is considered that some staff should be classified as not a priority, and there is a good reason for doing so, their training requirement could be downgraded from mandatory.  The Member asked if there is any sanction for members of staff who have failed to comply with mandatory training.  It was confirmed that IT privileges would not be removed for business continuity reasons.  It was confirmed that there are three weeks during the year that focus on Cyber security and Data Protection to raise awareness. 

It was noted that e mails are the biggest source of data breaches, and it was queried if there was any link to staff not completing training.  It was confirmed there is no link and staff committing a data breach having not done the training are required to do the training. If they have done the training, they may have to refresh it.  Often the breach is classed as human error and the action taken is to contain the breach and inform those involved.

·        A Member asked how the number of data breaches compares with other authorities and was informed that levels are similar with the SRS partner authorities.  Work is in progress to compare information and performance  ...  view the full minutes text for item 8.

The CIA presented the Internal Audit Annual Report 2022/23. Questions were invited from the Committee Members, as follows:

·        A Member asked how far back the audit review of Tintern Old Station related to and was informed that the original review was in 2019/20.  The venue was closed due to Covid for a substantial length of time then sufficient time was required to embed revised processes and procedures.  There have been significant changes and catering is now managed in-house.  The follow up audit is in progress currently and verbal interim report with a revised opinion will be provided at the next meeting.

·        Relating to Our Lady and St. Michael’s RC Primary School and noting that no fraud has been detected, a Member asked for assurance that there had been no substantial loss of funds. It was confirmed that there was no fraud, theft or misappropriation at the school but a general lack of control was detected across some areas.  The Headteacher has been fully engaged with the process.

Regarding procurement cards, it was confirmed that officers sign to accept the terms and conditions of the card and transactions are monitored.  A follow up review will be conducted and it is hope that the issues identified will have been addressed and controls will be in place.  The work at Our Lady and St. Michael’s RC Primary School is not expected to be completed until later in the year to provide the school with time to embed  new processes. 

As per the report recommendations, the Committee endorsed the Internal Audit Annual Report for 2022/23.

The CIA presented the Draft Internal Audit Operational Plan 2023/24. Following presentation of the report, questions were invited from Members of the Committee:

·        A Member expressed concern about the limited staff resources in the Internal Audit Team and the potential need to rely on expensive external resource to carry out the full audit programme, and queried if there was any likelihood of resolution.  It was explained that it would be preferred not to use external resources. The Senior Auditor vacancy has been filled which takes the team to full complement except for the 0.5 FTE Chief Internal Auditor role. The 5 months vacancy saving for the senior auditor post may be used to procure external resource subject to cost and budgetary considerations.

·        It was questioned if the 0.5 FTE Chief Internal Auditor funding could be utilised to provide a lower grade post. This idea was not discounted but the Committee was reminded that there are recruitment issues in audit teams across Wales/UK. The delivery model is under consideration including wider regional collaboration which could give access to specialist provision e.g. IT audit skills. The Chair expects the Committee to be consulted on the proposed new delivery models.

Noting the CIA’s assessment that the target 5.5 FTE was barely adequate, the current resourcing position of 5.0 FTE and an extended, uncertain timeline for transitioning to the target delivery model, the Committee endorsed the CIA’s comments, noted the likely consequences on levels of control assurance/nature of CIA opinion able to be provided at Year end, the committee requested that this matter be escalated to the Cabinet and Council for formal noting and, as appropriate, discussion with the Deputy Chief Executive.

The Head of Finance accepted the Committee’s view whilst welcoming a period to review the position and to explore models of delivery. 

·        A Member expressed concern about the one-third reduction to the total available days and questioned if there were comparisons available in other organisations as there did not appear to be sufficient auditors to undertake the required work.  It was explained that the calculation is based on non-productive days (e.g. team meetings, appraisals, leave etc). It was added that a qualified auditor has a requirement of 40 hours CPD per year.

·        The Chair asked why a review of the controls associated with proposing and implementing the anticipated further financial savings by Heads of Service has not been built into the plan.  It was responded that all aspects have been considered and the Governance and Audit Committee is invited to input suggestions, and consideration will be given to adding time into the plan. 

The Head of Finance provided assurance that Cabinet had requested senior leadership to undertake close and regular budget monitoring of all services for 2023/24. A significant amount of pressure has been added into the budget and the financial risks and budgetary risks of non-delivery of some of those savings.  Regular meetings are being held with services presenting a high budget risk for the year and meetings are regularly held  ...  view the full minutes text for item 10.

The CIA presented a report on Internal Audit Opinions and Weakness ratings.  Following presentation of the report, questions were invited:

Members supported the changes, and it was asked if the documents embedded in the report could be circulated to Committee Members.

As recommended in the report, the Committee approved the change to audit opinions and weakness ratings in use by the Internal Audit team.

The Forward Work Plan was noted.

The minutes of the previous meeting were approved as an accurate record.